Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Outpost Security Suite found BiFrost and Bzub trojans [Solved]

jtg22

Posted 29 September 2013 - 01:15 AM

jtg22

Member

Member

111 posts

I installed Outpost Security Suite today to replace my old firewall. During a malware scan, Outpost found the Trojans Bzub and Bifrost on my computer. Outpost claims to have removed them; however, I would like to do some double checking just to make sure everything is fine with my computer.

Additional information: I installed Outpost due to having to remove Online armor from my computer a few days ago. Two weeks ago, on September 17, MSE received an automatic update that apparently made it and Online Armor have some sort of conflict. Essentially, it made my computer have a 15 minute BSoD every time I'd turn it on. This problem has not occurred since removing Online Armor. This being said, there were a few days when I was only using the windows firewall.

Advertisements

godawgs

Posted 29 September 2013 - 10:46 AM

godawgs

Teacher

Retired Staff

8,228 posts

Hello jtg22, Welcome back to the forums!. My name is godawgs and I will be assisting you with your Virus / Malware issues.I will start working on your Malware issues. This may, or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for this issue on this machine!

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.If you have not, please adhere to the guidelines below and then carefully follow all future instructions:

You must reply to posts within four days. If you haven't replied within that time, the topic will be closed! If you need additional time to complete things, just let me know.If you're not sure, or if something unexpected happens, Do NOT continue! Stop and ask!

This board can notify you when a new reply is added to a topic. Please read this topic to find out how to do that.

Please do not run any tools unless instructed to do so.

We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability. Do as the instructions ask, nothing extra. Do Not run things twice unless instructed.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

If I ask a Question just answer it, don't run anything unless directed to.

Please read every post completely before doing anything.

Pay special attention to the NOTE: lines, or anything in red. These entries identify an individual issue or important step in the cleanup process.

Please make sure you are saving and printing the instructions out prior to each fix, this way you will have them on hand just in case you are unable to access this site. Some of the steps I will be asking you to do may require you to boot into Safe Mode and this process will be much easier for you to perform if the instructions are printed out for you to follow.

Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.

Logs from malware diagnostic or removal programs (OTL is one of them) can take some time to analyze.

I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )

Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

Lastly, Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. Some infections are so severe that we might encounter situations where the only recourse is to re-format and re-install your operating system. Don't worry, this only happens in severe cases, but, sadly, it does happen.In light of this be prepared to back up your data. Have means of backing up your data available.

IMPORTANT:Change your browser(s) to download any tools to the desktop.Follow the directions hereFor FireFox check the dot beside "Always ask me where to save files."For Chrome, check the box beside "Ask where to save each file before downloading"NOTE:IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

I don't really see anything in the OTL scan except that the OnlineArmour Security Suite that you installed includes antivirus protection. That means that you have two antivirus programs on the system, Online Armour and MSE. This is not recommended. Having more that one AV program can make the computer slower because they both want control of every file that is accessed, downloaded, etc; , eventually they will conflict with each other causing problems and because they both want control of the system they can actually provide LESS protection that having just one AV program.

If you were happy with MSE I would remove the OnlineArmour Security Suite completely and turn the Windows firewall back on. The firewall in Windows 7 is very effective, and if you are connected to the internet through a router or gateway you don't really need a 3rd party firewall. But if you want to keep OnlineArmour then you should uninstall MSE.

Right click the file and click Run as Administrator. If you get a UAC window, allow the file to run.

If it asks you if you want to download the latest virus definitions, click Yes (for ZeroAccess) or "No"

Be sure the A/V Scan: is set to QuickScan

Click the "Scan" button to start the scan

On completion of the scan click save log. Save it to your desktop and post in your next reply.

NOTE: When you run aswMBR, if it is shutdown automatically, then it is most likely the infection detecting that aswMBR is running and terminating it. In this situation you should rename the executable (aswMBR.exe) to iexplore.exe and try it again.

Step-2.

AdwCleaner by Xplode

Download AdwCleaner. Click here and then click the Download Now @ BleepingComputer button. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.

Click the Scan button and wait for the scan to finish.

After the Scan has finished the window may or may not show what it found and above the progress bar you will see Pending. Please uncheck elements you don't want to remove.Do Not delete anything at this time.

Click the Report button to get the log.

Copy and Paste it into your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[R0].txt.

Click the X in the upper right corner of the program or click the File menu and click Exit to close the program.

Vista / 7 Users: Right click on the icon and click Run as Administrator)

Make sure all other windows are closed.

You will see a console like the one below:

Click the box beside Scan All Users at the top of the console

Click the box beside Include 64bit Scans at the top of the console.

Make sure the Output box at the top is set to Standard Output.

Check the boxes beside LOP Check and Purity Check.

Place the mouse pointer inside the box, right click and click Paste. This will put the above script inside OTL

Click the button. Do not change any settings unless otherwise told to do so.

Let the scan run uninterrupted.

When the scan completes, it will open OTL.Txt. This file is also saved in the same location as OTL (it should be on your desktop).

Please copy the contents of this file and paste it into your reply. To do that:

On the OTL.txt file Menu Bar click Edit then click Select All. This will highlight the contents of the file. Then click Copy.

Right click inside the forum post window then click Paste. This will paste the contents of the OTL.txt file in the in the post window.

Step-4.

Things For Your Next Post:Please post the logs in the order requested. Do Not attach the logs unless I request it.1. Let me know what you want to do about the Antivirus programs2. The aswMBR log3. The AdwCleaner[R0].txt log4. The new OTL.txt log

jtg22

Posted 29 September 2013 - 01:21 PM

jtg22

Member

Topic Starter

Member

111 posts

While running these scans, should I turn off Outposts's active malware protection / scanner? While running aswMBR, Outpost popped up to inform me it had found ~70 suspicious files in the C:\Users\John\Appdata\temp folder. It's done this a few times yesterday too (I quarantined and removed the threats). I can't decide if it's removing legitimate threats or just overreacting to something.

Computer Name: JOHN-PC | User Name: John | Logged in as Administrator.Boot Mode: Normal | Scan Mode: All users | Include 64bit ScansCompany Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

godawgs

Posted 29 September 2013 - 05:33 PM

godawgs

Teacher

Retired Staff

8,228 posts

The aswMBR scan is clean. The AdwCleaner only found a couple of Registry keys that we will remove. I still don't see anything jump out at me in the OTL log except the issue I brought to your attention in my initial post....so I will ask again.

Multiple Antivirus Programs Installed

I see that you have more than one antivirus programs installed and running, MSE and Online Armor Security Suite. You should only have one antivirus program installed and running. Antivirus programs run in the background providing continuous protection of your system. It's called Real-Time Protection, or scanning, and it uses system resources as it runs. Two or more antivirus programs running at the same time will use 2 or 3 times the amount of system resources, or more. Because each program wants control of the system, there will be conflicts caused, including false positives. The end result is actually LESS antivirus protection.

I am really surprised they are both working, but having both of them on the system will eventually cause conflicts and problems.

If you only want the Online Armor firewall you need to completely uninstall the Online Armor Security Suite. Then you can download just the free Online Armor firewall.Click here and then click the Download button.

If you want to keep the Online Armor antivirus and firewall then leave the Online Armor Security Suite alone and uninstall MSE.

A third option would be to uninstall the Online Armor Security Suite and then turn the Windows firewall on. The Windows 7 firewall is very good. And if you connect to the internet using a router or Gateway then you don't really need a firewall that has inbound and outbound protection.

jtg22

Posted 29 September 2013 - 06:45 PM

jtg22

Member

Topic Starter

Member

111 posts

When you say I have Online Armor Antivirus, are you referring to Outpost Security Suite AntiVirus, or is there actually an Online Armor Antivirus on my computer as well? While I've used the Online Armor free firewall in the past, I do not believe I've ever used an online armor antivirus program. Outpost, however, does seem to have an antivirus program (incidentally, it was Outpost that detected the trojans).

I uninstalled the Online Armor free firewall last week due to a conflict between it and MSE. I installed Outpost Security Suite on Saturday based on advice from this thread:

At the time of installing Outpost, I was not aware that it also came with an antivirus program.

(Side note: the third firewall option no longer offers a free version. It's either use Online Armor or Outpost).

...

So, in regards to my multiple antivirus programs, these would be my questions:

-Is Outpost the 2nd antivirus program you are referring to, or is it an online armor program I'm unaware of? If it is Online Armor, what do I need to do to remove it (since I thought I already uninstalled it all)?

-Assuming Outpost is the 2nd antivirus program, which is the better program between it and MSE?

godawgs

Posted 30 September 2013 - 01:08 AM

Sorry. I got got Omline Armor confused with Outpost Security Suite. But Outpost Security Suite also includes an antivirus program.

(Side note: the third firewall option no longer offers a free version. It's either use Online Armor or Outpost).

Huh? The third option included turning on the Windows 7 firewall. It's free.

So, in regards to my multiple antivirus programs, these would be my questions:

-Is Outpost the 2nd antivirus program you are referring to, or is it an online armor program I'm unaware of? If it is Online Armor, what do I need to do to remove it (since I thought I already uninstalled it all)?

-Assuming Outpost is the 2nd antivirus program, which is the better program between it and MSE?

I use and GeeksToGo recommends MSE. It uses less system resources that most, it's detection rates are just as good or better that most, and it plays very well with the Windows operating system, meaning that it doesn't have nearly the conflicts with the windows system or other programs that other antivirus programs have.

The Outpost firewall is a good firewall. But it only comes with a Security Suite meaning an antivirus program is included so you can't use the MSE antivirus program. The Online Armor firewall is a good one also but it causes too many conflicts with other programs for my taste.

Yes and no. That topic was first written when XP was the Windows operating system. Most of the suggestions are still valid today. But some of them could stand updating. As an example, the XP firewall wasn't very good. Mainly because it was written entirely into the registry. Vista was an improvement but not much. But the Windows firewall in Windows 7 is very good. A lot of people don't use the Windows firewall in Windows 7 because it only protects against inbound threats and they think that they have to have protection against inbound and outbound threats, but like I said earlier, if you connect to the internet using a router or gateway you don't need the protection against outbound threats.Many of our instructors, Techs, Malware removal helpers and other staff members use the Windows firewall with a good antivirus program.

The decision is ultimately yours. Just let me know if you want to keep the Outpost Security Suite so we can uninstall the MSE program. Or if you want to keep the MSE antivirus program we will uninstall the Outpost Security Suite and then either turn the Windows firewall back on or download and install a stand alone 3rd party firewall.

jtg22

Posted 30 September 2013 - 05:03 PM

jtg22

Member

Topic Starter

Member

111 posts

Ideally, I would like to use MSE with another firewall. I had Online Armor before, and yeah it did seem to overreact to quite a few things.

Before dumping Outpost, there is one matter I'd like to check into. It's done it's malware scanner a few times since being installed. While it did find the trojans mentioned in the thread title, it also keeps finding a number of items fitting the following description:

Outpost reportedly finds these in rather large batches (up to 80 usually). I'm guessing that this is Outpost just overreacting to temp data, but I'd like to be sure of this before I go and remove it. For the record, MSE never brought up any of these items.

...

The "missing" third option I was referring to was the third firewall option on the Malware software advice page. One of the three firewall providers, Sunbelt Firewall, no longer provides that firewall for free anymore.

godawgs

Posted 01 October 2013 - 09:11 AM

The files in the Temp folders will be cleared when we run an OTL fix. Any Temp file that is being created in a Temp folder by a program will be recreated when the program that needs it runs again.

As for what Outpost found, it could be a couple of things. We know that no antivirus program can catch everything. We also know that when you have two or more antivirus programs on the computer the chances of false positives goes up. And Outpost may be listing them because they are are in a Temp folder. My quick research of just the file names doesn't show anything malicious. But we will be running some additional scans and an online scan to make sure we catch everything that is malicious.
But the first thing we need to do is get rid of one of the antivirus programs.

If you want to use MSE we can always uninstall Outpost and re-enable the Windows firewall until we are sure the system is clean. Then you can install any firewall you want and turn the Windows firewall back off.

Warning: This fix is relevant for this system and no other. If you are not this user, DO NOT follow these directions as they could damage the workings of your system.

2. Please re-open on your desktop. To do that:

Vista and 7 users: Right click the icon and click Run as Administrator

3. Place the mouse pointer inside the textbox, right click and click Paste. This will put the above script inside the textbox.4. Click the button.5.Let the program run unhindered.6.OTL may ask to reboot the machine. Please do so if asked.7. Click the button.8. A report will open. Copy and Paste that report in your next reply.9. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).10. Run OTL again and click the button. Post the log it produces in your next reply.

Step-4.

Things For Your Next Post:Please post the logs in the order requested. Do Not attach the logs unless I request it.1. The AdwCleaner[S0.txt log2. The JRT.txt log3. The OTL fixes log4. The new OTL.txt log

Files\Folders moved on Reboot...C:\Users\John\AppData\Local\Temp\7zS338A\HPSLPSVC64.DLL moved successfully.C:\Users\John\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

godawgs

Posted 03 October 2013 - 10:37 AM

Thanks. The new OTL log looks clean. Let's scan for and residual malware files. The OTL log shows that you have MalwareBytes installed.

Before you run the next steps please disable any screen saver you have running.

Step-1.

Malwarebytes' Anti-Malware

Close all programs and browsers on your computer and disable any screen saver you might have running.

Right click the MalwareBytes icon on the desktop and click Run As Administrator, then click the Continue button on the UAC window.). You will now be at the main program as shown below.

Click the Update tab and update the program if required.

On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer.MBAM will now start scanning your computer for malware. This process can take quite a while, so I suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.

When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the removal process.

You will now be back at the main Scanner screen. At this point you should click on the Show Results button.

A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

Make sure that everything is checked EXCEPT items in System Restore (see the image below), and click Remove Selected<---Very Important.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Step-2.

Run ESET Online Scanner:

Note: Optimized for Internet Explorer but you can use Chrome or Mozilla FireFox for this scan.

You will need to to right-click on the either the Internet Explorer or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

Note: If using Mozilla Firefox a window will open telling you that you will need to download the ESET Smart Installer. Click on esetsmartinstaller_enu.exe to download the Smart Installer. Save it to the desktop.
When prompted double click on the icon on the desktop. After successful installation of ESET Smart Installer ESET Online Scanner is launched in a new window. All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

A new window will open:

Select the option YES, I accept the Terms of Use then click on:

When prompted allow the Add-On/Active X to install. The following window will open:

Uncheck the box beside Remove Found Threats

Check the box Scan archives.

Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications

Scan for potentially unsafe applications

Enable Anti-Stealth Technology

Now click on:

The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

When completed the Online Scan will begin automatically. The scan may take several hours.

Wait for the scan to finish. Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.

When The Scan is Complete:

If No Threats Were Found:

Put a checkmark in Uninstall application on close

Close the program

Report to me that nothing was found

If Threats Were Found:

Click on list of threats found

Click on export to text file and save it to the desktop as ESET SCAN.txt

Click on Back

Put a checkmark in Uninstall application on close Be sure you have saved the file first

Click on Finish

Close the program

Don't forget to enable your Antivirus program and screen saver.

Step-3.

Things For Your Next Post:Please post the logs in the order requested. Do Not attach the logs unless I request it.1. The MalwareBytes log2. The ESET scan log (If it found anything). If it didn't just tell me.